Recently we wrote a blog which argued that brands often seem to issue apologies when they don’t need to.
But there are of course plenty of situations where brands really do need to say ‘sorry’.
And one of those, I would suggest, is when you have lost the data of up to 500 million people.
No that isn’t a misprint. That eye-watering figure was revealed by Marriott Hotels in a statement on Friday about the database of its Starwood reservation being compromised.
To put it into some kind of perspective, when the boss of British Airways was doing the media rounds in September, it was because a data hack had affected around 380,000 transactions. When Cathay Pacific found itself in full crisis media management mode in October, it was because it had lost sensitive information on 9.4million people.
Marriott brought Starwood in 2016 to create the world’s biggest hotel chain. Its data breach is not the biggest ever seen - that dubious honour goes to Yahoo - but it is up there.
And it is particularly troubling for those affected as the lost data includes combinations of names, addresses, phone numbers, email addresses, passport numbers and payment details.
Yet its 646 word statement does not include the word sorry. The closest we got was ‘regret’.
Here’s the quote from Arne Sorenson, the company’s president and chief executive, which forms the key part of the statement.
“We deeply regret this incident happened.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,”
500 MILLION @Marriott customer records breached THIS is your response? "We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said.
— MoreHumanThanHuman (@MoreHumanThanH3) November 30, 2018
Pathetic. We already know you fell short, obviously.
@Marriott’s initial response to the massive long-running @spg hack is pathetic. “Wow we really learned a valuable lesson from this and we’ll try not to let it happen again...” https://t.co/xm7qrjXi25
— Stephen Foskett (@SFoskett) November 30, 2018
I've used @MarriottIntl hotels often enough that I have an active @MarriottRewards acct. Given this data breach—the kinds of data leaked, the number of customers affected, and the CEO's appallingly lame public response—I am considering never staying at a Marriott property again.
— (((Brian Clapper))) (@brianclapper) November 30, 2018
Words that are missing from the Marriott statement: sorry, inconvenience, apologise, "your data"... The closest I find is that Marriott "regrets this incident happened". It's like they're upset that now they have to do some work, rather than upset that they hurt their customers.
— Alun Jones (@ftp_alun) November 30, 2018
Not only is the statement, which is titled ‘Marriott Announces Starwood Guest Reservation Database Security Incident’ bizarrely lacking in remorse, but it also feels like it is packed with stock corporate response lines – ‘lessons learned’ and ‘moving forward’ being among the chief offenders.
It has the feel of something which has been put together by committee and gone through an extensive sign-off process.
The other big issue for me with the statement is that the key bit – the quote from the boss – is somewhat buried, although that may be because they couldn’t find anything interesting for him to say.
The quote should be near the top of the response to show that the organisation’s managers are leading the management of the incident. It also an opportunity for them to show that they really care.
However, there are some parts of this crisis media management response which I liked. The dedicated website and call centre and the offer of fraud-checking services are good moves which will help the company’s cause.
The email notification for customers is also a good idea, but why did it only begin to send the emails on Friday (30/11), when it first knew of the intrusions at the start of September and had determined what was stolen by November 19?
The final thing to look at is the hotel chain's use of social media. The Marriott International account, which has 425,000 followers, has posted about the breach - albeit in a pretty low key fashion, which could easily be missed. It tweeted: “Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit http://info.starwoodhotels.com.”
Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit https://t.co/NWd6Dg2oOQ.
— Marriott Internat'l (@MarriottIntl) November 30, 2018
People who tweeted this account with concerns were met with a generic response.
Thanks for reaching out about the Starwood guest reservation database security incident. Please visit https://t.co/NWd6Dg2oOQ for more information about this incident, available resources and steps you can take.
— Marriott Internat'l (@MarriottIntl) November 30, 2018
There is no mention of it on the Marriott Hotels account (@marriott), even though that is the handle most people talking about the incident are using. Neither is there any mention of it on the Starwood Hotels account.
Data breaches are an increasingly common cause of crisis media management incidents. It feels like barely a day goes by without one being reported and it surely will not be long until another brand finds itself in the firing line.
When that happens, I recommend they begin by saying sorry – it really shouldn’t seem to be the hardest word to say.
Find out more about preparing for a crisis by downloading our free crisis media management eBook. It includes a guide to helping you identify the right spokesperson, messaging templates and a risk register to help you identify your organisation’s vulnerabilities.
Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.
Click here to find out more about our highly practical crisis communication training.
Subscribe here to be among the first to receive our blogs.
